You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

HJT log - Mango

My computer has been infected by Home Search assistant, and i tried to remove it by using add/remove programs, but when i click remove, it saids Unable to open"http://looking-for.cc/uninstall/HomeSearchAssistant.html" I ran both adaware and spyware blaster, but its not really helping. I'll post my log.... so please help me!

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post along with a brand new hijackthis log.

SERVICE_NAME: BrowserMaintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Computer Browser DEPENDENCIES : LanmanWorkstation : LanmanServer SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrvEnables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ClipBook DEPENDENCIES : NetDDE SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystemSupports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : COM+ Event System DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvcEnables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Help and Support DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem FAIL_RESET_PERIOD : 86400 seconds FAILURE_ACTIONS : Restart DELAY: 100 seconds : Restart DELAY: 100 seconds : None DELAY: 100 seconds

SERVICE_NAME: HidServEnables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 4 DISABLED ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Human Interface Device Access DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiServiceManages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IMAPI CD-Burning COM Service DEPENDENCIES : SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserverSupports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Server DEPENDENCIES : SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEProvides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe LOAD_ORDER_GROUP : NetDDEGroup TAG : 0 DISPLAY_NAME : Network DDE DEPENDENCIES : NetDDEDSDM SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrvEnables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Smart Card Helper DEPENDENCIES : +Smart Card Reader SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvrManages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Smart Card DEPENDENCIES : PlugPlay SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ScheduleEnables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : SchedulerGroup TAG : 0 DISPLAY_NAME : Task Scheduler DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLogCollects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Performance Logs and Alerts DEPENDENCIES : SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: VSSManages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Volume Shadow Copy DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32TimeMaintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

Click on start, then control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:

This infection deletes the windows file, shell.dll.

If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

%windir%\system32
%windir%\system

If you are using Windows 98 please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

%windir%\system

If you are using Windows ME please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

%windir%\system

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.

first of all, thank you so much helping me and i'm sorry if i'm being bothersome

K.. one- in step four, i wasn't able to find the following files:C:WINDOWSSystem32djqxd.dllC:WINDOWSsdkhu32.dllC:WINDOWSSystem32etmib1i.exeC:WINDOWSSystem32ircomx.exeC:program files180solutionssais.exeC:program filesBullsEye Network\

2- I wasn't able to run an online antivirus scan at http://housecall.antivirus.com/, because when the page was loading, it said will you download something and i clicked yes, but by doing so received an error. So, the second time i tried, i clicked no, and the page did load but the scanner? it self didn't. There was just white box with a red x.

Okay... lastly i'd just to like say that i did everything on the list, yet my homepage is still set to home search assistant even if i change it, it reverts back to it. Maybe i am doing something wrong?

Extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called ServiceFilter. Inside the C:\ServiceFilter directory will be a file called ServiceFilter.vbs. Simply double-click on the ServiceFilter.vbs. When the script finishes a wordpad document should open with the unknown services listed in it.

If the script could not access wordpad then you will see a message box telling you so. In that case you need to open POST_THIS.TXT by double-clicking it and pasting the contents as a reply to this topic. Please provide a brand new hijackthis log as well in this reply.

The script did not recognize the services listed below.This does not mean that they are a problem.

To copy the entire contents of this document for posting:At the top of this window click "Edit" then "Select All"Next click "Edit" again then "Copy"Now right click in the forum post box then click "Paste"

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

Click on start, then control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\system32\apixu.exeC:\WINDOWS\system32\mfcub.exe

Step 3:Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:

This infection deletes the windows file, shell.dll.

If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

%windir%\system32
%windir%\system

If you are using Windows 98 please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

%windir%\system

If you are using Windows ME please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

%windir%\system

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.